infra/gcp: setup k8s-project-triage special-case

Same steps as were done for k8s-project-metrics:
- add a gs://k8s-project-triage bucket to kubernetes-public
- give the google.com triage SA write access to this bucket
- add a k8s-triage SA
- give it roles/bigquery.user in k8s-infra-prow-build-trusted and
  kubernetes-public
- give it write access to gs://k8s-project-triage

While here, I removed the binding removal code for gs://k8s-metrics

infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/main.tf

@@ -34,6 +34,7 @@ locals {
   gcb_builder_sa_name          = "gcb-builder"          // Allowed to run GCB builds and push to GCS buckets
   prow_deployer_sa_name        = "prow-deployer"        // Allowed to deploy to prow build clusters
   k8s_metrics_sa_name          = "k8s-metrics"          // Allowed to write to gs://k8s-metrics
+  k8s_triage_sa_name           = "k8s-triage"           // Allowed to write to gs://k8s-project-triage
 }
 
 data "google_organization" "org" {
@@ -165,6 +166,31 @@ resource "google_project_iam_member" "k8s_metrics_sa_bigquery_user" {
   member  = "serviceAccount:${google_service_account.k8s_metrics_sa.email}"
 }
 
+// workload_identity_service_account: triage
+resource "google_service_account" "k8s_triage_sa" {
+  project      = local.project_id
+  account_id   = local.k8s_triage_sa_name
+  display_name = local.k8s_triage_sa_name
+}
+data "google_iam_policy" "k8s_triage_sa_workload_identity" {
+  binding {
+    role = "roles/iam.workloadIdentityUser"
+    members = [
+      "serviceAccount:${local.project_id}.svc.id.goog[${local.pod_namespace}/${local.k8s_triage_sa_name}]",
+    ]
+  }
+}
+resource "google_service_account_iam_policy" "k8s_triage_sa_iam" {
+  service_account_id = google_service_account.k8s_triage_sa.name
+  policy_data        = data.google_iam_policy.k8s_triage_sa_workload_identity.policy_data
+}
+// roles: triage
+resource "google_project_iam_member" "k8s_triage_sa_bigquery_user" {
+  project = local.project_id
+  role    = "roles/bigquery.user"
+  member  = "serviceAccount:${google_service_account.k8s_triage_sa.email}"
+}
+
 // workload_identity_service_account: kubernetes-external-secrets
 // description: used by kubernetes-external-secrets to read specific secrets in this and other projects
 resource "google_service_account" "kubernetes_external_secrets_sa" {

infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods/test-pods-serviceaccounts.yaml

@@ -23,6 +23,14 @@ metadata:
     iam.gke.io/gcp-service-account: [email protected]
   name: k8s-metrics
   namespace: test-pods
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: [email protected]
+  name: k8s-triage
+  namespace: test-pods
 
 # Infrastructure management service accounts
 ---

infra/gcp/ensure-main-project.sh

@@ -410,6 +410,29 @@ function ensure_prow_special_cases {
       local owners="[email protected]"
       local old_service_account="[email protected]"
 
+      ensure_public_gcs_bucket "${project}" "${bucket}"
+      ensure_gcs_bucket_auto_deletion "${bucket}" "365" # match gs://k8s-metrics
+      # GCS admins can admin all GCS buckets
+      empower_gcs_admins "${project}" "${bucket}"
+      # bucket owners can admin this bucket
+      empower_group_to_admin_gcs_bucket "${owners}" "${bucket}"
+      # k8s-infra-prow-build-trusted can write to this bucket
+      principal="serviceAccount:$(svc_acct_email "k8s-infra-prow-build-trusted" "k8s-metrics")"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "objectAdmin"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "legacyBucketWriter"
+      # TODO(spiffxp): this is a test to confirm we _can_ charge bigquery usage elsewhere
+      #                and might prove convenient since there are datasets in this project,
+      #                but this should probably not be the long-term home of usage billing
+      # k8s-infra-prow-build-trusted can charge bigquery usage to this project
+      ensure_project_role_binding "${project}" "${principal}" "roles/bigquery.user"
+    ) 2>&1 | indent
+
+    color 6 "Special case: ensuring gs://k8s-project-triage exists"
+    (
+      local bucket="gs://k8s-project-triage"
+      local owners="[email protected]"
+      local old_service_account="[email protected]"
+
       ensure_public_gcs_bucket "${project}" "${bucket}"
       ensure_gcs_bucket_auto_deletion "${bucket}" "365" # match gs://k8s-metrics
       # GCS admins can admin all GCS buckets
@@ -419,10 +442,10 @@ function ensure_prow_special_cases {
       # TODO(spiffxp): remove once bindings have been removed
       # k8s-prow-builds can no longer write to this bucket
       principal="serviceAccount:${old_service_account}"
-      ensure_removed_gcs_role_binding "${bucket}" "${principal}" "objectAdmin"
-      ensure_removed_gcs_role_binding "${bucket}" "${principal}" "legacyBucketWriter"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "objectAdmin"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "legacyBucketWriter"
       # k8s-infra-prow-build-trusted can write to this bucket
-      principal="serviceAccount:$(svc_acct_email "k8s-infra-prow-build-trusted" "k8s-metrics")"
+      principal="serviceAccount:$(svc_acct_email "k8s-infra-prow-build-trusted" "k8s-triage")"
       ensure_gcs_role_binding "${bucket}" "${principal}" "objectAdmin"
       ensure_gcs_role_binding "${bucket}" "${principal}" "legacyBucketWriter"
       # TODO(spiffxp): this is a test to confirm we _can_ charge bigquery usage elsewhere